Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2021-2022 Annual Report: Time for a Digital ID, with the Legislative Assembly.

In his report, the Commissioner addresses the need for the development of a Digital ID for Saskatchewan residents, the move toward virtual health care, the systemic issue of misdirected faxes and recommendations for legislative change.

Digital ID

As several other Canadian provinces shift towards the use of a digital ID, it is the hope that Saskatchewan develops a digital ID that meets the needs of our province. Commissioner Kruzeniski states:

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

Virtual Health Care

Virtual heath care has increased as a result of the Covid-19 pandemic and consideration is required to ensure that personal health information is adequately protected. Commissioner Kruzeniski outlines ten expectations that should be considered as these virtual care initiatives move forward.

Spotlight on Misdirected Faxes

Over the last decade, there has been concerns with misdirected faxes which continues to be a systemic issue impacting patient privacy and the delivery of patient care. Several recommendations have been made to collectively address this concern including the elimination of traditional fax machines.

Recommendations for Change

The Commissioner concluded by summarizing the recommendations for legislative change to amend The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. The goal is that these recommendations will address the gaps and challenges with the legislation as we move from a paper-based society to a digital one.

The Commissioner’s 2021-2022 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and recommendations for the development of a digital ID, virtual care initiatives, handling of misdirected faxes and legislative change can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.csk.ca

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Was this page helpful?

But I’m the Applicant – how can my submission help?

So, you have requested a review of an access to information request under The Freedom of Information of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA). The IPC has opened the file and sent you an email notifying you of the review. However, in the notification email YOU have been invited to make a submission on the matters at hand. You might be thinking to yourself why would I prepare a submission?  I want to assure you that there is no onus on the applicant to make a submission – however, it can be helpful.

First of all, what is a submission?  In a nutshell, for an applicant, a submission gives you the ability to counter the position taken by the local authority, government institution or trustee if you disagree with the decision they made regarding your access to information request. The IPC has developed the resource A Guide to Submissions – Increasing your chances of success (Guide to Submissions -updated December 2022). This resource includes tips for applicants on how to create a submission. In this resource, the IPC has outlined what you may wish to prepare your submission on – depending upon the scope of the review. This includes:

  • An applicant disagrees with the exemption(s) claimed to the record.
  • An applicant is not satisfied that a reasonable fee was estimated.
  • An applicant believes that all or part of the fee should be waived.
  • A head (of the local authority or government institution) or trustee failed to respond to the access to information request within the required time.
  • An applicant requests a correction of personal information or personal health information and the correction is not made.
  • An applicant does not believe that a sufficient search was conducted.

When preparing a submission, if you have any evidence to support your arguments, that can be a great help for the IPC through a course of a review. For example, if the scope of the review includes your belief that an adequate search for records was not conducted and you have evidence of that, provide the evidence as an attachment with your submission. A situation where you may have evidence that an adequate search was not conducted is where you have been provided a copy of an email as part of the response, but the attachment to the email has not been included with the response.

The Guide to Submissions includes a template for an applicant they may wish to use for preparing a submission. However, you can also send your submission in the form of an email – it really doesn’t have to be fancy.

If you would like some additional guidance on what the IPC is looking for in your particular review, contact the analyst who has been assigned the file – you will find that information in the notification email advising you of the review or investigation. If you are not sure who the analyst is, please contact our general inquiry line at 306-787-8350.

 

Was this page helpful?

RIM Best Practices

Records and Information Management (RIM) practices are important for any organization. My office has developed a guide dealing with RIM. The guide contains many best practices that an organization can adopt.

The goal here is that an organization implement best practices which over time become every day practices. Check out the guide here. This guide is based on the Ontario resource Improving Access and Privacy with Records and Information Management.

Was this page helpful?

An activity booklet for kids

The Ontario Information and Privacy Commissioner released a privacy activity book, Privacy Pursuit! Games and Activities for Kids, to help kids better understand and protect their online privacy.

In the Commissioner’s blog she says:

This new activity booklet is designed to help kids learn more about online privacy through games like word searches, crossword puzzles, cryptograms, and word matches, among other fun activities. Through these exercises, kids will pick up some easy-to-understand tips that will help them watch out for scams, protect their privacy, and stay safe online. Some thought-provoking questions will also guide kids through a process of self-discovery by reflecting on what privacy means to them and how to respect the privacy of others through caring and empathy.

Check it out and see if it increases the awareness of your children regarding privacy.

 

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2020-2021 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2020-2021 Annual Report: Change is in the Air, with the Legislative Assembly.

In his report, the Commissioner addresses the need to update Saskatchewan’s access and privacy legislation. The Freedom of Information and Protection of Privacy Act and The Local Authority Freedom of Information and Protection of Privacy Act were implemented in 1992 and 1993 respectively, at a time when paper records were the norm. Society has shifted. Technology and the digitization of information is now the rule. Kruzeniski stated:

“A vast amount of information about each of us is housed in databases, many of which are accessible by the internet. We look up information, we order things, and we pay bills and communicate with one another through the utilization of these databases and the internet. It is time that we modernize our access and privacy legislation to take this into account.”

The Commissioner concluded by summarizing the legislative changes that are happening in access and privacy jurisdictions across the country.

 

Media contact:
Kara Philip, Manager of Communication
Telephone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

News Release for 2020-2021 Annual Report

Was this page helpful?

Mediation or case-by-case privilege

In the Commissioner’s Review Report 065-2020, he considered if mediation or case-by-case privilege applied to the records in question. The public body had claimed mediation or case-by-case privilege pursuant to subsection 22(a) of The Freedom of Information and Protection of Privacy Act (FOIP).

The Commissioner considered orders issued by the Office of the Information and Privacy Commissioner for Prince Edward Island (PEI IPC) and the Office of the Information and Privacy Commissioner of Alberta (AB IPC) in his analysis of the public body’s claim of mediation or case-by-case privilege. I will briefly describe the orders by PEI IPC and AB IPC.

In Order FI-09-005, the PEI IPC summarized what the Ontario Superior Court of Justice Divisional Court and the Supreme Court of Canada has said on mediation privilege and how it is considered on a case-by case basis:

In Rudd v.  Trossacs Investments Inc. 2006 CanLII 7034 (Ont.  S.A.), Swinton, J. reviewed the case law in respect of mediation privilege. At pp. 25-30, the justice says:

[26] Common law principles have recognized a privilege for confidential communications in certain important societal relationships.  In Slavuytych v.  Baker (1975), 1975 CanLII 5 (SCC), 55 D.L.R.  (3d) 224, the Supreme Court of Canada held that the four conditions from Wigmore on Evidence should be applied to determine whether communications are privileged (at 228):

(1) The communications must originate in a confidence that they will not be disclosed.

(2) The element of confidentiality must be essential to the maintenance of the relationship in which the communications arose.

(3) The relationship must be one which, in the opinion of the community, ought to be “sedulously fostered”.

(4) The injury caused to the relationship by disclosure of the communications must be greater than the benefit gained for the correct disposal of the litigation.

[27] In Slavuytych, the Court held that a document submitted in a university tenure process was privileged – in part because the document was labeled “confidential”, and in part because of the importance of confidentiality in the tenure process, where individuals are asked to give their frank opinion of colleagues.

Swinton, J.  also refers to a more recent case from the Supreme Court of Canada, saying:

[28] In M.(A.) v. Ryan 1197 CanLII 403 (S.C.C.), (1997), 1997 CanLII 403 (SCC), 143 D.L.R. (4th) 1 (S.C.C.), the Supreme Court reaffirmed the approach in Slavuytych, making it clear that privilege is to be determined on a case by case basis (at para.  20).

In my opinion, the Supreme Court of Canada’s views on the existence of legal privilege, outside of solicitor-client privilege or parliamentary privilege, still prevails.  Thus, it is a matter of determining whether, on the facts of the case, the conditions set out in Wigmore on Evidence have been met.

[Emphasis added]

Further, in Order 96-020, the AB IPC provides that case-by-case privilege can apply to two types of records: 1) private records, or 2) Crown records. Different criteria will apply to each type of records in determining whether case-by-case privilege applies. If the records are “private records”, then the “Wigmore criteria” as set out in PEI IPC’s Order FI-09-005 (quoted above) can be used to determine if case-by-case privilege applies. If the records are Crown records, then AB IPC indicated that the Crown “must put forth a proper claim based on the criteria for public interest immunity” in determining if case-by-case privilege applies. AB IPC said:

[79.] For a case-by-case privilege to attach to Crown records, the Court in Carey v. Ontario said that the Crown must put forth a proper claim based on the criteria for public interest immunity. Those criteria, which have been adopted by Leeds v. Alberta (Minister of the Environment) (1990), 69D.L.R. (4th) 681 (Alta. Q.B.), are:

(1) The nature of the policy concerned.

(2) The particular contents of the documents.

(3) The level of the decision-making process.

(4) The time when a document or information is to be revealed.

(5) The importance of producing the documents in the administration of justice, with particular consideration to:

(i) the importance of the case

(ii) the need or desirability of producing the documents to ensure that the case can be adequately and fairly represented

(iii) the ability to ensure that only the particular facts relating to the case are revealed.

(6) Any allegation of improper conduct by the executive branch towards a citizen.

In Review Report 065-2020, the Commissioner determined that the records were private records. As such, he applied the Wigmore criteria to determine if mediation or case-by-case privilege applied to the records. To see the Commissioner’s analysis, findings, and recommendations, check out the report here.

In Review Report 171-2019, the Commissioner determined that records were Crown records. Therefore, he adopted the public interest immunity criteria set out in AB IPC Order 96-020.

When considering if mediation or case-by-case privilege applies to records, public bodies should do the following:

  • Determine if the records are “private records” or “Crown records”.
  • If the records are “private records”, then apply the Wigmore criteria to determine if mediation or case-by-case privilege applies.
  • If the records are “Crown records”, then apply the public interest immunity criteria.

In either case, if public bodies are claiming the records fall into either category, then the public body should be ready to make the case in the event a review by our office is undertaken as the burden of proof rests with the public body.

Was this page helpful?

Federal, Provincial and Territorial Information and Privacy Commissioners and Ombudsman issue joint resolution about privacy and access to information rights during and after a pandemic

In a joint resolution, Canada’s Information and Privacy regulators called on their respective governments to respect Canadians’ quasi-constitutional rights to privacy and access to information. The regulators took note of the serious impact the COVID-19 pandemic has had on the right of access to information and privacy rights in Canada and called on governments to use the lessons learned during the pandemic to improve these rights.

The global pandemic has brought to the forefront the pressing need for strong access to information and privacy laws. The regulators noted that the pandemic has accelerated trends that were ongoing prior to March 2020, namely concerns among the public about increasing surveillance by public bodies and private corporations and the slowing down of processing access requests. The pandemic has also highlighted the need to modernize the access to information system by leveraging technology and innovation to advance transparency.

Saskatchewan’s Information and Privacy Commissioner, Ron Kruzeniski, Q.C., stated:

“There is no doubt that technology and digitization have been instrumental in the response to the pandemic. As we work towards recovery, I encourage authorities to consider the impact such initiatives have on our access and privacy rights. The lessons we have learned during this global crisis should be used to modernize our access and privacy legislation. Digitization is here to stay. It is time our legislation reflected that.”

The joint resolution adopted 11 access to information and privacy principles and called on Canada’s governments to show leadership by implementing them and making the modernization of legislative and governance regimes around freedom of information and protection of privacy a priority.

 

Related Document:
Joint Resolution: Reinforcing Privacy and Access to Information Rights During and After a Pandemic

Media Contact:
Kara Philip, Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
Phone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

PDF Version

Was this page helpful?

Vaccine passports must meet highest level of privacy protection

Privacy should be front and centre as governments and businesses consider COVID-19 vaccine passports as a tool to help Canadians return to normal life, say Canada’s privacy guardians.

Vaccine passports would allow people to travel and gather again and could support economic recovery while protecting public health. They would, however, require individuals to disclose personal health information about their vaccine or immunity status in exchange, potentially, for access to goods and services, for example, restaurants, sporting events and airline travel.

“While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration,” federal, provincial and territorial privacy commissioners and the ombuds of Manitoba and New Brunswick say in a joint statement issued today.

“Vaccine passports must be developed and implemented in compliance with applicable privacy laws.  They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed,” the statement says.

The statement was endorsed during the annual meeting of federal, provincial and territorial access to information and privacy guardians. The Manitoba Ombudsman hosted the meeting, which took place virtually given the pandemic.

This statement outlines fundamental privacy principles that should be adhered to in the development of vaccine passports.

In particular, it notes that, in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.

In other words, vaccine passports need to be shown to be necessary to achieve the intended public health purpose; they need to be effective in meeting that purpose; and the privacy risks must be proportionate to the purpose, i.e. the minimum necessary to achieve it.

Further, vaccine passports, whether introduced by governments or public bodies for public services, or by private organizations, need to have clear legal authority. In addition, organizations considering vaccine passports should consult with the privacy commissioners in their jurisdiction as part of the development process.

The statement also notes that any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.

 

Related Documents
Joint statement – Privacy and COVID-19 Vaccine Passports

For more information:
Office of the Privacy Commissioner of Canada
Manitoba Ombudsman
Provincial and territorial privacy Ombudspersons and Commissioners

Media Contact
Kim Mignon-Stark  |  Executive Assistant
kmignon-stark@oipc.sk.ca
306-798-0173

 

Was this page helpful?

UPDATED – Advisory from the IPC on questions regarding vaccines for organizations, employers and health trustees

Announcements regarding the approval of vaccines for COVID-19 has been greeted with excitement. The roll out of vaccines is occurring in our province and in other provinces in Canada. As citizens receive the vaccine, questions arise as to how organizations, health trustees and employers will handle this new reality. In my Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19, I attempted to answer many of the questions surrounding the issue of employers asking questions about screening or testing for COVID-19. This Advisory attempts to answer similar questions in regard to getting the vaccination for COVID-19.

Can organizations ask whether a customer or employee has received a vaccination for COVID-19?

Private sector businesses and other organizations engaged in commercial activities in Saskatchewan are not covered by The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), but are subject to orders made under The Public Health Act, 1994. Many organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). I note that PIPEDA only protects personal information of employees of federally regulated businesses, works and undertakings (FWUBs). Those organizations, if they have questions, may have to contact the Federal Privacy Commissioner . It should be noted that the federal government has introduced Bill C-11, which introduces significant changes to PIPEDA. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the following definitions, the advice below can be considered best practice and an employer can choose to follow it.

What organizations are covered by PIPEDA?

PIPEDA defines an “organization” in Part 1, section 2(1) as follows:

  1. “organization” includes an association, a partnership, a person and a trade union.

PIPEDA indicates that the “protection of personal information” applies as:

  1. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

PIPEDA defines “commercial activity” as follows:

  1. “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

As one can see, an “organization” is broad and includes a business, community based organization and charity, if that organization carries on commercial activity. In the rest of this Advisory I will refer to them as “organizations” and they are covered by PIPEDA and not by FOIP or LA FOIP.

Let us now turn to discuss employers who are covered by FOIP, LA FOIP or The Health Information Protection Act (HIPA).

Can an employer ask an employee whether they have received the vaccination for COVID-19?

Some employers may be considering whether they will require their employees to receive the vaccine or provide a vaccination certificate for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:

General duties of employer

3‑8 Every employer shall:

(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;

(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and

Each employer will have to make a fundamental decision as to whether they need all employees to receive the vaccine or provide a vaccination certificate to make the workplace safer.

Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to receive the vaccine or provide a vaccination certificate. Because these vaccines are new, there will be questions about their use and effectiveness. There may be workplaces where social distancing, wearing masks and washing hands may be determined to be sufficient protection. These are considerations for the employer. Requiring employees to receive the vaccine is a fundamental issue and can be controversial. Requiring proof an employee has received the vaccine is less controversial, but does have privacy implications. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. This particularly is a challenging issue for hospitals, medical clinics, long-term care and group homes. Employers need to know that requiring employees to receive the vaccine or provide a vaccination certificate, might result in a court challenge.

The OPC in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:

Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:

  • Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
  • Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
  • Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
  • Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).

The balance of this Advisory presumes an employer has made the decision to require vaccinations and understands the legal risks of a challenge, but intends to proceed.

What questions might an employer ask?

If an employer decides to require vaccinations, what questions might the employer be asking? Possible questions include:

  • Are you planning to get vaccinated?
  • When will you receive your first injection?
  • Have you received your first injection?
  • When will you receive your second injection?
  • Have you received your second injection?
  • Do you have a vaccination certificate?
  • Will you show me a vaccination certificate?
  • Will you provide me with a vaccination certificate?

The least intrusive approach would be that an employer requests, “Please show me your vaccination certificate”. The employer looks at the certificate and does nothing else. Slightly more intrusive would be where the employer checks off on an employee list that this employee has a vaccination certificate.

What questions might be asked in a pre-employment interview?

The above questions could be asked of existing employees. Another question is what employers might want to as of people applying for a job. Employers will need to decide whether they ask any questions or no questions at all.

What privacy legislation might apply?

If an employer decides to require the employee to show or provide a vaccination certificate, the employer needs to know what privacy legislation applies. FOIP applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.

LA FOIP applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.

HIPA applies to health trustees which include government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories with custody or control of personal health information. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.

If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of personal information/personal health information. To be sure, an employer should check each of the Acts to see if it has any application to it. If in doubt, the employer should obtain legal advice.

Regulations under each of the Acts can also prescribe the organizations that are government institutions, local authorities or health trustees.

The Privacy Act may allow a lawsuit where a business, community based organization, employer or health trustee has breached someone’s privacy.

A further issue is that after the employee has received the vaccine, is the employee required to show or provide a proof of vaccination? Will the employer accept the employee’s word that the vaccination was taken? If the employee is required to provide proof, will the employer visually examine it or make a copy of it? If so, by whom and for what purpose? If a copy is made, the record may be accessible under HIPA, FOIP or LA FOIP.

If an employer is in doubt regarding requiring employees to get vaccinated or requiring a copy of the vaccination certificate, the employer should obtain legal advice.

What is the purpose of the employer asking whether an employee has gotten a vaccine or requiring a vaccination certificate?

Before embarking upon requiring vaccinations, the employer must determine the purpose for which it is requiring vaccinations and the purpose for an employee showing or providing a vaccination certificate. Is it to keep the workplace safe? More specifically, is it to prevent transmission of COVID-19 being spread from employee to employee, customer or patient? It is important that the employer define the purpose before starting and not change the purpose after starting.

How should employers notify its employees of the purpose?

Employers should be open and transparent. They should advise staff that they will be asking the employee to show or provide the vaccination certificate and inform them of the purpose and the purpose for so asking. Later, at the showing or providing of the vaccination certificate, tell employees the purpose of the collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties, why and under what legal authority.

The employer can provide other staff with statistical information, such as how many have been vaccinated. The employer should not give out names or identify the ones who were or were not vaccinated as this may be considered a privacy breach.

What information will the employer collect?

Asking an employee whether they have had the vaccination and requesting the showing or providing of a vaccination certificate is a collection of personal information/personal health information. Employers should collect the least amount of information necessary to achieve the purpose. If the employer is comfortable, they could choose to accept the employee’s verbal statement that they have had the vaccination. Alternatively, the employer could ask the employee to show a vaccination certificate, but choose not to make a copy of the vaccination certificate. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.

What if an employee refuses to be vaccinated?

If an employee refuses to get the vaccination, refuses to confirm that they had the vaccination or refuses to show or provide a vaccination certificate, employers will need to decide if it will require the employee to wear a mask at work, stay home and self-isolate, send the employee home without pay or end the employment relationship.

Can the employer use the information for any other purpose?

The employer must determine its authority to collect for a defined purpose, and only collect personal information/personal health information for that purpose. This may include the employee providing the information for that purpose (indicating they had a vaccination and showing or providing a vaccination certificate). The employer should check the relevant legislation before using that information for any other purpose without getting the consent of the employee.

Who can the employer share the information with?

Since the employer has collected the information that the employee has received the vaccination or refused to get it, the employer needs to determine who in the organization needs to know. If the employee gets the vaccination, very few people need-to-know, but the employer can provide statistical information as to how many employees have received the vaccination. If the employee refuses to get the vaccination and is sent home, very few people need-to-know. Just like other sensitive health information, it is confidential, the employer should prohibit supervisors and HR employees from sharing the information with other staff. This does not prevent an individual employee from alerting others around them that they have been vaccinated (sticker, badge, lanyard, headband). An employer could promote this, but should not make it mandatory.

Where does an employer store this information?

The choices are storing on the employees HR personnel file, storing on the employee’s separate health information file or storing in a separate folder for all employees, containing all information regarding vaccination of employees or refusal to vaccinate. There is probably no need to store it anywhere else.

The information the employer has collected must be stored in a secure place. Once the employer collects personal information/personal health information about an employee, it is the employer’s obligation to ensure it is protected and only those with a need-to-know should be able to access it. Possibly the best practice is to set up a separate employee file to contain any personal health information collected. That would include COVID-19 vaccination and testing information.

Is an employer obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to privacy legislation, best practice would suggest the information be protected. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner.

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

When should the employer destroy the information?

How long is an employer going to keep this information? Will it get destroyed in accordance with the employer’s destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within six months? Employers need to decide whether they will develop a policy including destruction guidelines. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.

Do employers need to develop a policy on COVID-19 vaccinations?

Once an employer has made a decision, the employer should consider developing a policy. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding COVID-19 vaccinations. Whatever the form of the document, it should contain:

  • authority for the collection;
  • a statement of the purpose;
  • a statement as to whether employees will be asked to show a vaccination certificate;
  • a statement on possible actions taken based on whether the employee has the vaccination or not;
  • a statement on where information will be stored;
  • a statement as to who it will be shared with (with public authorities or not); and
  • a statement on when the information will be destroyed.

Can a public body ask visitors whether they have had a vaccination for COVID-19?

Public bodies (government institutions and local authorities) have carried on their activities during the pandemic. As much as possible, communications have shifted to emails and telephone calls, but it is still possible that citizens or patients will attend at a public bodies’ front door or reception area. The question arises, can those public bodies ask questions about receipt of a vaccination for COVID-19? Secondly can public bodies insist on seeing a vaccination certificate? If a public body decides to ask the citizen or patient whether they had a vaccination, then many of the questions raised above would apply. Of course public bodies considering this issue should think about obtaining legal advice.

Can a health trustee ask whether patients or employees received a vaccination for COVID-19?

Health trustees are subject to HIPA. That Act contains principles similar to FOIP and LA FOIP when it comes to collection, use, protection or disclosure of information (in this case personal health information). Many of the questions posed and answered above will apply to health trustees.

Conclusion

The principles are simple: establish the purpose and authority, collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether a business, non profit, employer or health trustee is subject to privacy legislation or not.

The Information Commissioner’s Office in Great Britain has issued a document regarding “work testing – guidance for employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner

Media contact:
Julie Ursu
jursu@oipc.sk.ca

 

UPDATED: IPC Advisory on questions regarding vaccines for organizations, employers and health trustees

 

Additional Resources 

UK Information Commissioner Office:
Data protection and coronavirus – advice for organizations
Data protection and coronavirus – six data protection steps for organizations
Health, social care organisations and coronavirus – what you need to know

Alberta Office of the Information and Privacy Commissioner:
Pandemic FAQ:  Customer Lists

British Columbia Office of the information and Privacy Commissioner:
Collecting Personal Information at Food and Drink establishments, gatherings, and events during COVID-19

Ontario Office of the Information and Privacy Commissioner:
COVID Alert and Your Privacy

 

Was this page helpful?

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data

An investigation by the Information and Privacy Commissioner of Saskatchewan has found that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack in late December 2019 and early January 2020, resulting in one of the largest privacy breaches in this province.

On December 20, 2019, an SHA employee opened an infected Microsoft Word document from their personal email account on their personal device while the personal device was being charged by a USB cord on their SHA workstation. The infected Microsoft Word document triggered the execution of ransomware on the workstation and a multi-phase exploit took place between December 20, 2019 and January 5, 2020. This ultimately led to a Ryuk ransomware attack on January 5, 2020, where the attackers made a ransomware demand. The attack affected fileshares with eHealth, the SHA and Health due to the shared infrastructure on which the fileshares reside.

On January 21, 2020, eHealth discovered that files were disclosed to malicious internet protocol (IP) addresses in Germany and the Netherlands. In total, approximately 40 gigabytes of encrypted data was extracted.

Through its investigation, eHealth advised my office that the affected servers contained approximately 50 million files across eHealth, the SHA and Health. eHealth conducted a metadata scan of those 50 million files and identified that approximately 5.5 million of those files may contain personal information and personal health information. eHealth developed a tool to scan the 5.5 million files and that tool identified a total of 547,145 files that potentially contain personal information and/or personal health information.

As there were a minimum of 547,145 files containing personal information and/or personal health information exposed to the ransomware (possibly more depending upon the accuracy of the tool developed by eHealth), the Commissioner concluded that personal information and personal health information of citizens of Saskatchewan was either exposed to the malware or maliciously stolen from eHealth, the SHA and Health.

Through the Commissioner’s investigation, it was discovered that there were three critical opportunities – two by eHealth and one by the SHA employee – where the ransomware may have been detected at an earlier stage. Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data.

“eHealth is charged with collecting, storing and protecting the most sensitive health data in our province,” says Information and Privacy Commissioner Ron Kruzeniski. “Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible.”

The Commissioner found that eHealth failed in fully investigating the two early threat occurrences which may have prevented the malicious extraction of data that followed. He also determined that eHealth did not sufficiently provide notification and that the SHA and Health failed in their notification efforts due to the excessive delay in providing notification. Furthermore, the Commissioner found that the SHA did not provide the employee at the heart of the incident with training on its Acceptable Use of IT [Information Technology] Assets policy.

“Because we are dealing with the most sensitive personal health information, every person who has access to this information needs to be trained, retrained and trained again as to the things they can do and especially the things they cannot do,” says Information and Privacy Commissioner Ron Kruzeniski. “This incident reveals the tremendous cost of one employee doing something and other employees failing to follow up rigorously on the warnings given.”

The Commissioner made a number of recommendations, including:

  • that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
  • that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
  • that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
  • that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
  • that all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
  • that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.

The Commissioner recognizes that organizations are under continued threat of cyber security attacks. Therefore, the organizations that hold the citizens most sensitive data must strive to have the best protected systems with the most thoroughly trained employees to mitigate the risks of these attacks happening.

The Commissioner acknowledges that, “eHealth, the SHA and Health have begun to take the necessary steps to ensure they are protecting the personal information and personal health information of the citizens of this province.”

Related Documents

Investigation Report 009-2020, 053-2020, 224-2020

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach – January 16, 2020

Media Contact

Kara Philip (Manager of Communication)
kphilip@oipc.sk.ca
306-798-2260

 

IPC News Release on Ransomware Investigation Report

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.